b'Report No. DODIG-2013-048      February 20, 2013\n\n\n\n\n         Quality Control Review of the\n       PricewaterhouseCoopers, LLP and\n      the Defense Contract Audit Agency\n           FY 2010 Single Audit of the\n         Institute for Defense Analyses\n\x0cAdditional Information and Copies\nThe Department of Defense, Office of the Assistant Inspector General for Audit Policy\nand Oversight, prepared this report. To obtain additional copies of the final report, visit\nwww.dodig.mil/audit/reports or contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight at (703) 604-8760 or fax (571) 372-7454.\n\nSuggestions for Reviews\nTo suggest or request reviews, contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight by phone (703) 604-8760 (DSN 664-8760), by fax\n(571) 372-7454, or by mail:\n\n                       Department of Defense Inspector General\n                       AIG-APO\n                       ATTN: Suite 11D28\n                       4800 Mark Center Drive\n                       Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\n\nAICPA          American Institute of Certified Public Accountants\nCAM            Contract Audit Manual\nDCAA           Defense Contract Audit Agency\nFOUO           For Official Use Only\nOMB            Office of Management and Budget\nR&D            Research and Development\n\x0c                                              INSPECTOR GENERAL\n                                               DEPARTMENT OF DEFENSE\n                                               4800 MARK CENTER DRIVE\n                                            ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n\n                                                                                                     February 20, 2013\n\nDirector\nDefense Contract Audit Agency\n\nBranch Manager\nChesapeake Bay Branch Office\nDefense Contract Audit Agency\n\nTreasurer\nInstitute for Defense Analyses\n\nSUBJECT: Quality Control Review of the PricewaterhouseCoopers, LLP and the Defense\n         Contract Audit Agency FY 2010 Single Audit of the Institute for Defense Analyses\n         (Report No. DODIG-2013-048)\n\n       We are providing this report for your review and comment. We considered management\ncomments on a draft of this report when preparing the final report. DCAA management\ncomments were partially responsive; therefore we request additional comments on\nRecommendation 1a. by March 22th, 2013. As the cognizant Federal agency for the Institute for\nDefense Analyses (the Institute), we performed a review of the PricewaterhouseCoopers, LLP\nand the Defense Contract Audit Agency (DCAA) single audit and supporting working papers for\nthe audit period September 26, 2009, through September 24, 2010. The purpose of our review\nwas to determine whether the single audit was conducted in accordance with auditing standards 1\nand the auditing and reporting requirements of the Office of Management and Budget (OMB)\nCircular A-133, \xe2\x80\x9cAudits of States, Local Governments, and Non-Profit Organizations.\xe2\x80\x9d\nAppendix A contains additional background, scope, and methodology of the review.\n\nBackground. The Institute is a nonprofit corporation, in Alexandria, Virginia, that operates\nthree federally funded research and development (R&D) centers to provide objective analyses of\nnational security issues, requiring scientific and technical expertise, and to conduct related\nresearch on other national challenges. Two of the federally funded R&D centers are sponsored\nby DoD and one is sponsored by the National Science Foundation. The Institute expended\n$226.8 million in Federal awards for the fiscal year ended September 24, 2010, under one\nFederal program, the R&D cluster. Of the $226.8 million, $215.8 million was expended for DoD\nprograms.\n\n\n\n\n1\n  Auditing standards include both Government Auditing Standards and the American Institute of Certified Public Accountants\xe2\x80\x99\naudit standards.\n\x0cThe PricewaterhouseCoopers office in McLean, Virginia, and the DCAA Chesapeake Bay\nBranch Office performed a coordinated audit. PricewaterhouseCoopers was responsible for the\naudit of the financial statements and the Schedule of Expenditures of Federal Awards. DCAA\nperformed the audit of the R&D program cluster. Appendix B lists the compliance requirements\nthat the DCAA considered applicable to the FY 2010 single audit.\n\nReview Results. DCAA did not comply with Circular A-133 requirements, auditing\nstandards, and DCAA guidance for the FY 2010 single audit. Specifically, the auditors did not\nadequately plan, perform, and document the audit procedures to support their conclusions on the\nten compliance requirements applicable to the R&D cluster (Finding A). We also identified\ndeficiencies in the performance of fraud risk assessment procedures (Finding A) and the\ncompletion of the Circular A-133 report (Finding B). Therefore, additional audit work is needed\nbefore Federal agencies can rely on the audit for assurance that the Institute managed Federal\nawards in compliance with laws, regulations, and award provisions.\n\nThe PricewaterhouseCoopers audit of the financial statements and Schedule of Expenditures of\nFederal Awards met auditing standards and Circular A-133 requirements.\n\nThe Institute generally met Circular A-133 requirements except that the corrective action plan\nwas not submitted with the single audit reporting package when it was initially filed with the\nFederal Audit Clearinghouse (Finding B).\n\nManagement Comments and DoDIG Response. The Defense Contract Audit Agency\nand the Institute agreed to take the recommended actions. DCAA management comments were\npartially responsive; therefore additional comments are requested on Recommendation 1a.\nManagement comments are included in their entirety at the end of this report.\n\nFinding A. Planning, Performance, and\nDocumentation of the Federal Program Audit\nDCAA did not adequately plan the audit because the sampling methodology did not comply with\nauditing standards and Circular A-133 requirements for testing internal control over and\ncompliance with each applicable compliance requirement in the R&D program cluster. In\naddition, the DCAA auditors did not perform and document adequate internal control review\nprocedures or compliance testing to support audit conclusions on each requirement. The auditors\nalso did not plan and perform adequate fraud risk assessment procedures. Because of these\ndeficiencies, the audit lacked sufficient and appropriate evidence to support DCAA\xe2\x80\x99s conclusions\non internal control and opinion on compliance. Additionally, the audit does not provide Federal\nprogram managers with information needed to ensure accountability over program funds. As a\nresult, Federal agencies cannot rely on the audit to manage and monitor program awards.\n\nAudit Planning. DCAA did not adequately plan the audit because the sampling approach did\nnot ensure that the auditors\xe2\x80\x99 sample was representative of the universe of R&D awards.\nGuidance on sampling is contained in the auditing standards and the American Institute of\n\n\n                                                2\n\x0cCertified Public Accountants (AICPA) Audit Guide, \xe2\x80\x9cGovernment Auditing Standards and\nCircular A-133 Audits,\xe2\x80\x9d (AICPA Circular A-133 Audit Guide). The guidance provides sampling\nconsiderations and documentation requirements to ensure that the sampling approach used in the\nsingle audit provides sufficient and appropriate evidence. The guidance covers ensuring that the\nsample population is appropriate for the audit objective, that the sample size is consistent with\nthe determined risk of noncompliance, and that the sample selection process results in a sample\nthat is representative of the universe. In addition, the Circular A-133 Compliance Supplement\nPart 5, \xe2\x80\x9cClusters of Programs,\xe2\x80\x9d provides specific sampling guidance for the R&D program\ncluster and states that the sample selected should come from a variety of award sizes, types, and\nfunding sources. This guidance is intended to address the unique factor that the cluster is\nnormally composed of awards from many Federal agencies and also ensures that the sample is\ndrawn from the entire universe of awards to provide appropriate coverage for all Federal\nagencies.\n\nThe Institute\xe2\x80\x99s awards and contracts are all considered to be a part of one major program, the\nR&D cluster. Based on our review of the working papers and discussions with DCAA, we\nconcluded that the auditors did not have a clear understanding of the R&D program cluster and\nthe testing required to be performed. The sampling approach did not ensure that the auditors\xe2\x80\x99\nsample was representative of the universe of R&D awards. Rather, DCAA performed a risk-\nbased assessment of the Institute\xe2\x80\x99s awards and concluded that only three contracts needed to be\ntested. As a result, the sample was not representative of the universe because all Federal agency\nawards did not have an equal chance of being included in the transaction test sample. Therefore,\nthe testing performed did not provide appropriate evidence to support the auditors\xe2\x80\x99 opinion on\ncompliance with the requirements.\n\nPerformance and Documentation of Internal Control and Compliance Testing of\nFederal Requirements. In addition to the overall deficiency in the sampling approach used,\nDCAA failed to perform the review of internal controls and compliance of the R&D cluster in\naccordance with Circular A-133 requirements, auditing standards, and DCAA guidance.\nSpecifically, the auditors did not perform and document adequate procedures on internal controls\nand compliance with activities allowed/allowable cost principles; cash management; period of\navailability; procurement, suspension, and debarment; subrecipient monitoring, and the special\ntests and provisions requirements. DCAA also did not perform adequate compliance testing for\nthe equipment and real property requirement or internal control testing for the level of effort and\nreporting requirements. During our site visit, we gave the auditors opportunities to provide\nadditional explanations and support for the audit procedures performed; however, the auditors\nwere unable to provide additional information to mitigate the deficiencies identified.\n\nAuditing standards and Circular A-133 require the auditor to perform risk assessment procedures\nto obtain an understanding of internal control over compliance and to evaluate the design and\nimplementation of internal controls over compliance for each applicable requirement. The\npurpose of the procedures is to determine whether the controls are capable of preventing,\ndetecting, and correcting material noncompliance. As part of the review of internal controls, the\nauditor must also identify and test the operating effectiveness of key internal controls they intend\nto rely on in order to assess the risk of noncompliance due to the control environment. The\nauditor is required to document the risk assessment procedures performed, the results obtained,\n\n\n\n                                                 3\n\x0cand the conclusions reached. This assessment is used to establish the nature, timing, and extent\nof compliance testing needed to obtain sufficient and appropriate evidence to support the audit\nconclusions on compliance with laws, regulations, and the provisions of contracts or grant\nagreements that may have a direct and material effect on its major program.\n\nAuditing standards and DCAA policies and procedures require that audit documentation be\nappropriately detailed to provide a clear understanding of the work performed, the evidence\nobtained, and the conclusions reached. The documentation and audit evidence should be in\nsufficient detail to enable an experienced auditor with no previous connections to the audit to\nunderstand the nature, timing, extent, and results of audit procedures performed that supports the\nsignificant judgments and conclusions. In addition, audit documentation should be appropriately\norganized to provide a clear link to the findings, conclusion, and recommendations.\n\n         Activities Allowed/Unallowed and Allowable Costs/Cost Principles\nCompliance Requirements. The DCAA auditors did not perform adequate audit procedures\nto determine the Institute\xe2\x80\x99s internal control over and compliance with the activities\nallowed/unallowed and allowable costs/cost principles compliance requirements. DCAA\nobtained an understanding of the Institute\xe2\x80\x99s internal controls over compliance, but the working\npaper documentation did not provide evidence of any internal control testing performed. In\naddition, the DCAA auditors did not perform adequate tests of compliance on FY 2010 labor\ncosts. As stated in the Audit Planning section of this report, the DCAA auditors planned to test\nthree contracts to support conclusions on internal control over and compliance with\nrequirements. However, for the activities allowed/unallowed and allowable costs/cost principles\ncompliance requirements, the auditors limited the testing of direct labor costs to only one\ncontract. As a result, DCAA excluded $70 million of direct labor costs, representing 31 percent\nof total Federal expenditures from the testing population. The R&D program cluster is\ncomposed mainly of labor costs; therefore, DCAA should perform additional testing of labor\ncharges to the Federal program to ensure the Institute was in compliance with the activities\nallowed/allowable cost principles.\n\nDuring our review, we also noted inconsistencies between the working papers and audit report\nrelated to questioned costs. Specifically, DCAA did not report all questioned costs or document\nin the working papers the basis for not reporting the questioned costs. When asked, the DCAA\nauditors explained that some items were mistakenly excluded from the report, and other costs\nwere excluded because they were considered minimal. DCAA should clearly document in the\nworking papers the basis for any questioned costs not included in the audit report.\n\n        Cash Management. The DCAA auditors did not perform adequate audit procedures\nto determine the Institute\xe2\x80\x99s internal control over and compliance with the cash management\nrequirements for cost-reimbursement contracts. The objective of this requirement for\norganizations funded on a reimbursement basis is to verify that program costs are paid for by the\norganization before reimbursement is requested from the Federal Government.\n\nThe DCAA auditors obtained and documented an understanding of the Institute\xe2\x80\x99s internal\ncontrols; however, the working paper documentation did not provide evidence that DCAA\nidentified and performed tests of key internal controls that the Institute had in place to ensure\n\n\n\n                                                  4\n\x0ccompliance with cash management requirements. According to the supervisory auditor, the\ntesting of internal controls was limited to reviewing the Institute\xe2\x80\x99s policies and procedures and\nverifying that billings were prepared in accordance with the Institute\xe2\x80\x99s established billing\npractices. Although there is evidence in the DCAA working papers that the auditors performed\nthese reviews, there is no documentation to support that the reviews included the testing of key\ninternal controls relevant to the objectives of the cash management compliance requirement.\nDCAA\xe2\x80\x99s compliance testing did not demonstrate that the auditors verified that program costs\nwere paid before reimbursement was requested from the Federal Government. The supervisory\nauditor stated the testing was limited to verifying that the costs contained in the vouchers\nselected for review were supported by the Institute\xe2\x80\x99s accounting records. This testing is not\nrelevant to the objectives for this requirement because it does not provide any evidence that the\nInstitute paid the costs before requesting reimbursement from the Government.\n\n         Period of Availability. The DCAA auditors did not gain an adequate understanding of\ninternal controls or perform internal control and compliance testing for the period of availability\nrequirement. The only documentation in the audit files for the understanding of internal control\nwas the identification of control characteristics rather than the specific controls the Institute has\nin place to ensure compliance with this requirement. There was no documentation to support\nthat the auditor interviewed Institute personnel, inspected internal control manuals, or observed\nactivities to gain an understanding of the control processes. The documentation also did not\nprovide evidence that the auditor identified and evaluated the design and implementation of any\ninternal controls or identified key controls for testing. The DCAA auditors concluded that the\nInstitute did not have contracts that ended in FY 2010; therefore, they did not perform any audit\nprocedures for the review of internal control and compliance for the period of availability\nrequirement. Our independent review identified one contract that ended in FY 2010 that DCAA\nexcluded from their testing as noted in the Audit Planning section of this report. In addition, the\nCircular A-133, \xe2\x80\x9cCompliance Supplement,\xe2\x80\x9d and DCAA audit program guidance require the\nauditors to test transactions and adjustments that were recorded during the period of availability\nand verify that the underlying obligations occurred within the period of availability. However,\nthere was no evidence in the working paper documentation that this testing was performed. As a\nresult, there is no evidence to support that the Institute is complying with period of availability\nrequirements. The failure to properly test compliance with the period of availability compliance\nrequirement could result in unallowable costs being charged to Federal programs.\n\n        Procurement, Suspension, and Debarment. The DCAA auditors review of\ninternal controls and compliance was not adequate to support audit conclusion on this\nrequirement because the audit sampling was not performed and documented in accordance with\nCircular A-133 requirements and DCAA guidance. The AICPA Circular A-133 Audit Guide\nprovides the guidance for planning, performing, and evaluating audit samples. In addition, the\nguide provides suggested minimum sample sizes designed to provide sufficient appropriate audit\nevidence to support conclusions on internal controls over and compliance with requirements.\nAuditors may use professional judgment to determine whether larger sample sizes are warranted,\nbased on the results of other procedures performed and the risks and complexities of the\nsampling population. The DCAA Contract Audit Manual (CAM) Chapter 4, \xe2\x80\x9cGeneral Audit\nRequirements,\xe2\x80\x9d section 600, \xe2\x80\x9cAudit Sampling and Other Analytical Procedures,\xe2\x80\x9d provides\nguidance for selecting appropriate sample sizes. The guidance states that auditors should\n\n\n\n                                                  5\n\x0cdocument a sampling plan and that the sample sizes should be sufficiently large enough to\nreasonably provide sample results reflective of the true universe results.\n\nTo test the Institute\xe2\x80\x99s internal controls and compliance with this requirement, the DCAA auditors\nselected a sample of 4 items from a universe of 1,980 procurement transactions. The working\npaper documentation did not include a sampling plan to explain the basis for how the sample size\nselected would provide sufficient appropriate evidence to support audit conclusions. The DCAA\nauditors did not follow the AICPA Circular A-133 Audit Guide on minimum sample sizes or\nDCAA\xe2\x80\x99s policy when documenting and selecting the sample size for testing internal controls and\ncompliance. As a result, the working papers did not include sufficient evidence to support\nDCAA\xe2\x80\x99s conclusions on the Institute\xe2\x80\x99s compliance with Federal procurement regulations.\n\n         Subrecipient Monitoring. The DCAA auditors did not perform and document\nadequate procedures to support their conclusions on the Institute\xe2\x80\x99s internal controls over and\ncompliance with the subrecipient monitoring requirement. The objectives of this compliance\nrequirement include determining whether the pass-through entity properly identified Federal\naward information and compliance requirements to the subrecipient, monitored subrecipient\nactivities during the award period to provide reasonable assurance that the subrecipient\nadministered Federal awards in compliance with requirements, and ensured that required\nsubrecipient audits were performed and reviewed.\n\nThe working paper documentation indicates that the Institute uses a procurement checklist to\nmonitor their subrecipients. However, based on our review of the checklist, we could not\ndetermine how it was used to satisfy the objectives of subrecipient monitoring. Specifically, the\nprocurement checklist did not document the Institute\xe2\x80\x99s monitoring to ensure that the\nsubrecipients used Federal awards for authorized purposes; complied with laws, regulations, and\nthe provisions of contracts and grant agreements; and achieved performance goals. As a result,\nthere is no evidence in the working papers to support the Institute was monitoring subrecipient\nactivities during the award. The DCAA auditors documented a review of subrecipient audit files\nto determine whether the Institute maintained copies of the subrecipient audit reports or a copy\nof the subrecipient notification that no findings were reported. The DCAA auditors review noted\nthat the subrecipient audit reports and notifications were not being maintained in the audit files.\nDCAA documented in the working papers that the Institute\xe2\x80\x99s management asserts that they are\nnot notified of subrecipient audits results because they can monitor the outcomes through the\nFederal Audit Clearinghouse. As a result, DCAA concluded that the Institute was complying\nwith the objectives of this requirement based on management\xe2\x80\x99s assertions. However, the DCAA\nworking papers did not document evidence of audit procedures performed to verify the assertions\nmade by management.\n\nAuditing standards require the auditors to obtain sufficient appropriate audit evidence by\nperforming audit procedures to support their conclusions. Inquiry of management alone\nordinarily does not provide sufficient appropriate audit evidence and is not sufficient to test the\noperating effectiveness of controls. We asked the DCAA auditors what their basis was for\nconcluding that the Institute was reviewing subrecipient audit reports and were informed that\nthere was no explanation other than no findings were noted on the Institute\xe2\x80\x99s program. The\n\n\n\n\n                                                  6\n\x0cauditor\xe2\x80\x99s explanation is not considered sufficient to support conclusions that the Institute is\nreviewing subrecipient audit reports.\n\nThe working paper documentation notes the Institute is responsible for monitoring $12 million\ndollars in subrecipient expenditures. Based on our analysis of the working papers and\ndiscussions with the auditors, we determined there is insufficient evidence to support the\nauditors\xe2\x80\x99 conclusions on the Institute\xe2\x80\x99s compliance with subrecipent monitoring requirements.\nAs a result, there is no assurance that the $12 million dollars in subrecipent expenditures were\nused for authorized purposes and in compliance with laws, regulations, and contract and grant\nagreements.\n\n        Special Tests and Provisions. The DCAA auditors did not obtain an adequate\nunderstanding of internal controls or perform audit procedures to test internal controls and\ncompliance with this requirement. The specific requirements for special tests and provisions are\nunique to each Federal program and are in the laws, regulations, and the provisions of contract or\ngrant agreements pertaining to the program. The DCAA auditors documented their review of the\nInstitute\xe2\x80\x99s federally funded research and development center sponsoring agreements and\ncontracts. However, due to a lack of understanding of the special tests and provisions\nrequirement, DCAA identified multiple standard contract clauses that they planned to test in\nother compliance requirements, but failed to properly identify and review any special tests and\nprovisions.\n\nWe determined that the sponsoring agreements included a special provision requiring the\nInstitute to obtain prior written approval from the sponsoring agency before Institute personnel\ncan work on contracts from agencies other than sponsoring agency (Federal Acquisition\nRegulation 35.017, \xe2\x80\x9cFederally Funded Research and Development Center\xe2\x80\x9d). We also identified\nother special tests and provisions in the Institute\xe2\x80\x99s contracts such as key personnel requirements\nand prior approval of consultant costs. As a result, we concluded that the procedures performed\nby the DCAA auditors were not sufficient to identify the existence of special tests and\nprovisions.\n\n       Equipment and Real Property. DCAA did not perform adequate audit procedures to\ndetermine the Institute\xe2\x80\x99s compliance with the equipment and real property compliance\nrequirement. The objectives of this requirement include verifying that the organization\nmaintains proper records, adequately safeguards and maintains equipment, and disposes of\nequipment in accordance with Federal requirements.\n\nThe DCAA audit program and the AICPA Circular A-133 Audit Guide direct the auditor to\nselect a sample from the property records of all equipment identified as acquired under Federal\nawards and physically inspect the equipment, including whether the equipment is appropriately\nsafeguarded and maintained. However, the DCAA auditors limited their sample population and\ntesting to only equipment items purchased on one contract during FY 2010.\n\nTo assess the significance of total equipment costs, we requested a listing of equipment\npurchased with Federal funds. Based on the listing provided, the Institute is responsible for\nsafeguarding and maintaining equipment valued at $42 million. The DCAA auditors selected\n\n\n\n                                                  7\n\x0ctheir sample from a population valued only at $422,982, which represents approximately one\npercent of the total Federal equipment. As a result, we determined that the auditor\xe2\x80\x99s testing was\nnot sufficient to support their conclusions on the Institute\xe2\x80\x99s compliance with this requirement.\n\nIn addition, the DCAA auditors\xe2\x80\x99 working papers indicated that the Institute did not dispose of\nany Federal equipment in fiscal year 2010; therefore, no audit procedures were performed.\nBased on our independent inquiry with the Institute, we also found that the Institute was\nauthorized to make equipment dispositions in FY 2010. Therefore, the auditors should have\ndetermined the materiality of equipment dispositions, and planned and performed further audit\nprocedures as needed to verify that dispositions were properly classified and reflected in the\nproperty records.\n\nBased on our review, we concluded that the DCAA audit procedures did not provide sufficient\nevidence to support the conclusions on the Institute\xe2\x80\x99s compliance with equipment requirements\nfor the use, management, and disposition of equipment acquired under Federal awards. Due to\nthe significance of the equipment costs, DCAA should perform additional procedures to assess\nthe Institute\xe2\x80\x99s compliance with the equipment compliance requirement.\n\n        Level of Effort and Reporting Compliance Requirements. DCAA obtained an\nunderstanding of the Institute\xe2\x80\x99s internal controls over compliance for the level of effort and\nreporting requirements. However, there was no documentation to support that the auditor\nperformed any procedures for the review and testing of internal controls. The working papers\ndid not provide an audit trail between the description of internal controls, the controls to be\ntested, and the evidence of the internal control testing performed. Because the auditor did not\nperform an adequate review of internal controls over compliance, the auditor had no basis for\nestablishing the nature, timing, and extent of compliance testing needed to obtain sufficient\nevidence to support the audit conclusions on compliance. In addition, the auditors did not\nadequately document the compliance testing that was performed. The supervisory auditor had to\nprovide additional explanations and clarification on the work performed to determine the\nInstitute\xe2\x80\x99s compliance with these requirements.\n\n        Fraud Risk Assessment Procedures. DCAA did not perform sufficient fraud risk\nassessment procedures during the planning and performance of the audit. The DCAA Circular\nA-133 audit program procedures required the auditor to evaluate only the fraud risk indicators\nidentified in the DoD IG, \xe2\x80\x9cHandbook on Fraud Indicators for Contract Auditors.\xe2\x80\x9d The working\npapers documented that the evaluation of fraud indicators was limited to a review of \xe2\x80\x9cHandbook\non Fraud Indicators for Contract Auditors.\xe2\x80\x9d Based on this review, DCAA concluded that there\nwere no identified fraud risks.\n\nCircular A-133 requires that the single audits be performed in accordance with government\nauditing standards applicable to financial statements, which incorporate the AICPA auditing\nstandards. The AICPA auditing standard, AU \xc2\xa7316, \xe2\x80\x9cConsideration of Fraud in a Financial\nStatement Audit,\xe2\x80\x9d requires the auditor to plan and perform the audit to obtain reasonable\nassurance that material misstatements and noncompliance, whether caused by error or fraud, are\ndetected. Specifically, as a means of obtaining information needed to identify fraud risk areas,\n\n\n\n\n                                                8\n\x0cthe standards require, among other procedures, inquiries of management during the planning\nprocess to determine if they have knowledge of any fraud or suspected fraud affecting the entity.\n\nThe need to update the Contract Audit Manual terminology on communicating matters related to\ninternal control was previously reported in DODIG Report No. D-2011-6-004, \xe2\x80\x9cReport on\nQuality Control Review of the PricewaterhouseCoopers LLP and the Defense Contract Audit\nAgency FY 2008 Single Audit of the Charles Stark Draper Laboratory, Incorporated,\xe2\x80\x9d\nFebruary 28, 2011, and DODIG Report No. D-2011-6-002, \xe2\x80\x9cReport on Quality Control Review\nof the Deloitte & Touche and the Defense Contract Audit Agency FY 2008 Single Audit of the\nAerospace Corporation,\xe2\x80\x9d October 29, 2010.\n\nDCAA management concurred with our findings and recommendations and has taken corrective\nactions. DCAA has revised its\xe2\x80\x99 Circular A-133 standard audit program to include the procedures\nrequired by AU \xc2\xa7316. DCAA also revised CAM Chapter 13, \xe2\x80\x9cAudits at Educational Institutions,\nNonprofit Organizations, and Federally Funded Research and Development Centers (FFRDCs),\xe2\x80\x9d\nto include guidance on performing fraud risk assessment procedures and reporting in the\nCircular A-133.\n\nConclusion. The DCAA auditors\xe2\x80\x99 work does not meet the requirements of the auditing\nstandards and Circular A-133 audit requirements. As a result, Federal agencies and pass-through\nentities cannot rely on the audit for assurance that the Institute managed Federal awards in\ncompliance with laws, regulations, and award provisions. Additional audit procedures must be\nperformed before the audit report can be used by Federal agencies and pass-through entities to\nmonitor and manage awards to the Institute. In addition, the deficiencies disclosed by our review\nand prior quality control reviews, noted in Appendix A, indicate DCAA management needs to\nimplement more effective quality control procedures for the Circular A-133 audits and provide\nadditional training in auditing standards and Circular A-133 requirements to auditors performing\nCircular A-133 audits.\n\nFinding B. Circular A-133 Reporting Package\nDCAA did not obtain and incorporate in their report the Institute\xe2\x80\x99s comments on the findings as\nrequired by auditing standards and Circular A-133 requirements. In addition, the Institute did\nnot include its corrective action plan in the reporting package submitted to the Federal Audit\nClearinghouse (the Clearinghouse). Also, DCAA did not comply with DoD regulations when\nmarking the report \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d (FOUO) and did not correctly prepare the data\ncollection form.\n\nCorrective Action Plan. The DCAA auditors did not obtain the views from the responsible\nofficials\xe2\x80\x99 at the Institute on the reported findings and any planned corrective actions. The audit\nreport indicated that the Institute\xe2\x80\x99s corrective action plan in response to the findings would not be\nincorporated because it was not practical due to the additional time required to complete the\naudit work. Based on discussions with DCAA and the Institute, the auditors did not provide the\nInstitute the final reported findings until June 21, 2011. Consequently, the Institute did not have\nsufficient time to review the findings, develop and incorporate a comprehensive corrective action\nplan, and submit the Circular A-133 reporting package by the June 24, 2011, filing deadline.\n\n\n                                                 9\n\x0cInstead, the Institute submitted the reporting package without the corrective action plan required\nby Circular A-133 reporting requirements.\n\nCircular A-133 and auditing standards require auditors to obtain and report the views of\nresponsible officials concerning the findings, conclusions, and recommendations, and planned\ncorrective actions. The auditors should include in the report an evaluation of the comments\nprovided and an explanation for any disagreements. Obtaining the views of responsible officials\nhelps the auditors develop a report that is fair, complete, and objective. In addition, it provides\nauditors the opportunity to address any disagreements with the auditee, which assists contracting\nofficers in their follow-up actions on reported findings. Circular A-133 requires the auditee to\nprepare a corrective action plan to address each audit finding and to include it with the reporting\npackage submitted to the Clearinghouse.\n\nThe Institute took corrective actions on the FY 2010 single audit and submitted a revised\nreporting package, including a corrective action plan, to the Clearinghouse on\nSeptember 26, 2011. The Institute\xe2\x80\x99s actions were sufficient to address the deficiency. However,\nbecause the corrective action plan was submitted after the DCAA audit report was issued, DCAA\nhas not addressed the Institute\xe2\x80\x99s comments on the findings, conclusions, and recommendations.\nAs a result, DCAA should revise its report to address an evaluation of the Institute\xe2\x80\x99s comments,\nreasons for disagreements, or modifications to the report as required by auditing standards.\n\nFor Official Use Only. DCAA auditors prepared a Circular A-133 report that contained an\nFOUO marking and informed the Institute they had no objection to the Institute removing the\nmarking. This procedure is not in compliance with DoD regulations and does not safeguard the\nreport from alteration. Further, a report marked FOUO limits the Institute\xe2\x80\x99s ability to comply\nwith Circular A-133 requirements that require auditees to make the single audit report available\nfor public inspection.\n\nThe DCAA guidance requires that all audit reports not containing classified information be\nmarked as FOUO. Further, the guidance states that auditors should provide an electronic version\nof Circular A-133 report and advise the auditee to remove the FOUO restrictions from the report\nprior to incorporation in the reporting package submitted to the Clearinghouse. The FOUO\nmarking restricts release of the report to the public because the report may contain information\nthat is exempt from mandatory disclosure under the Freedom of Information Act. DoD\nManual 5200.01, \xe2\x80\x9cInformation Security Program,\xe2\x80\x9d January 1997, states that it is the\nresponsibility of the document\xe2\x80\x99s originator to determine at the time a document is created\nwhether the information may qualify for FOUO status and to ensure markings are applied as\nrequired. When FOUO status is not warranted, the marking shall be removed by lining-through\nor other appropriate means prior to the report being released outside of the Department of\nDefense. When withholding criteria are met, the records shall be marked FOUO and the\nrecipient provided an explanation for the marking.\n\nThe DCAA guidance does not comply with DoD regulations because DCAA is identifying the\nreport as FOUO but directing the auditee to remove the marking. At the time the report is\ncreated, DCAA must make a determination whether the FOUO marking applies and should not\ninclude the marking when it is not warranted. To protect the integrity of reports, DCAA should\n\n\n\n                                                10\n\x0cnot allow anyone other than an authorized DCAA official to change an audit report. Because\nDCAA is providing an electronic copy of the report, auditees can redact or change pertinent\ninformation in the report. DCAA must revise their current guidance regarding Circular A-133\naudit reports to ensure report integrity and to comply with DoD regulations and Circular A-133\nrequirements.\n\nData Collection Form. The DCAA auditors did not correctly prepare the data collection form\nbecause they failed to mark all the Institute\xe2\x80\x99s contracts as part of the major program. Circular\nA-133 states that the R&D cluster shall be considered one program. The Institute\xe2\x80\x99s contracts are\nall included in the R&D cluster. Since the Institute has only one major program, all contracts\nshould have been identified as part of the major program. Due to a lack of understanding of the\nR&D cluster, DCAA failed to accurately identify several contracts as part of the major program.\nAs a result, the data collection form is not accurate and should be updated to properly reflect the\nmajor program.\n\nRecommendations, Management Comments, and Our\nResponse\n\n1. We recommend that the Director, Defense Contract Audit Agency:\n\n\n        a. Revise the Defense Contract Audit Agency Contract Audit Manual Chapter 13,\n           \xe2\x80\x9cAudits at Educational Institutions, Nonprofit Organizations, and Federally\n           Funded Research and Development Centers (FFRDCs),\xe2\x80\x9d to ensure the guidance\n           conforms with DoD Regulation 5200.01 and Circular A-133 reporting\n           requirements and protects the integrity of the audit report.\n\nDCAA Comments. The Director, Defense Contract Audit Agency, office concurred to the\nrecommendation. DCAA agreed to protect the integrity of the audit report by no longer advising\nthe auditee to remove the FOUO restrictions from the report. However, DCAA stated they\nwould continue their policy to place the FOUO restrictive marking on all audit reports, including\nCircular A-133 audit reports to prevent unauthorized public disclosure of sensitive, confidential,\nor proprietary data. Management comments are included in their entirety at the end of this\nreport.\n\nOur Response. The DCAA comments were partially responsive to our recommendation. The\nDCAA planned action to continue placing the FOUO restrictive marking on Circular A-133 audit\nreports does not meet the intent of the Single Audit Act or its implementation in Circular A-133.\nThe Single Audit Act and Circular A-133 require the audit report be made available for public\nreview. Therefore, Circular A-133 audit reports differ from other audit reports prepared by\nDCAA for the contracting officer\xe2\x80\x99s use in contract administration. In addition, Circular A-133\nrequires auditees that are subrecipients to submit the audit report to pass-through entities 2 when\n\n2\n A pass-through entity means a non-Federal entity that provides a Federal award to a subrecipient to carry out a\nFederal program.\n\n\n                                                        11\n\x0cthe report discloses audit findings relating to the Federal awards the pass-through entity\nprovided. By issuing an audit report with an FOUO marking, DCAA is restricting the auditee\xe2\x80\x99s\nability to comply with these requirements. As a result, DCAA should have a separate policy for\nCircular A-133 audit reports. We request that DCAA reconsider its position on including the\nFOUO restrictive marking on Circular A-133 audit reports.\n\n       b. Develop or obtain a training program for auditors performing single audits,\n          assess the technical abilities of auditors and supervisors assigned to perform\n          single audits, and ensure that the appropriate level of supervision is\n          commensurate with the technical assessment to ensure that the audits comply\n          with Circular A-133 requirements.\n\nDCAA Comments. The Director, Defense Contract Audit Agency, office agreed to take the\nrecommended actions. Management comments are included in their entirety at the end of this\nreport.\n\nOur Response. DCAA comments were responsive to our recommendation. No additional\ncomments are needed.\n\n2. We recommend that the Branch Manager, Chesapeake Bay Branch Office:\n\n\n       a. Perform additional audit procedures in accordance with the requirements of\n          Circular A-133 and government auditing standards to address the deficiencies in\n          this report and determine the adequacy of the Institute for Defense Analyses\xe2\x80\x99\n          internal controls over and compliance with requirements.\n\n       b. Revise the reporting package to reflect, at a minimum, the date the revised audit\n          work was completed, the evaluation of the Institute\xe2\x80\x99s corrective action plan, and\n          the correction of the data collection form to reflect the identification of all\n          contracts as part of the major program.\n\n       c. Provide the revised audit reporting package to the Institute for submission to the\n          Federal Audit Clearinghouse.\n\nDCAA Comments. The Branch Manager, Chesapeake Bay Branch office agreed to take the\nrecommended actions. Management comments are included in their entirety at the end of this\nreport.\n\nOur Response. DCAA comments were responsive to our recommendation. No additional\ncomments are needed.\n\n3. We recommend that the Treasurer, Institute for Defense Analyses:\n\n       a. Include the corrective action plan in all future reporting packages in accordance\n          with Circular A-133 reporting requirements.\n\n\n\n                                              12\n\x0c\x0cAppendix A. Quality Control Review Process\nCriteria, Scope, and Methodology\nPublic Law 98-502, \xe2\x80\x9cThe Single Audit Act of 1984,\xe2\x80\x9d as amended, was enacted to improve the\nfinancial management of State and local governments and nonprofit organizations by\nestablishing a uniform set of auditing and reporting requirements for all Federal award recipients\nrequired to obtain a single audit. Circular A-133 establishes policies that guide the\nimplementation of the Single Audit Act and provides an administrative foundation for uniform\naudit requirements of non-Federal entities administering Federal awards. Entities that expend\n$500,000 or more in a year are subject to the Single Audit Act and audit requirements in Circular\nA-133. Therefore, they must have an annual single or program-specific audit performed under\ngovernment auditing standards and submit a complete reporting package to the Federal Audit\nClearinghouse.\n\nWe reviewed the PricewaterhouseCoopers, LLP and the Defense Contract Audit Agency\nFY 2010 single audit of the Institute for Defense Analyses and the reporting package that was\nsubmitted to the Federal Audit Clearinghouse on September 16, 2011, using the 2010 edition of\nthe \xe2\x80\x9cGuide for Quality Control Reviews of OMB Circular A-133 Audits.\xe2\x80\x9d The Guide applies to\nany single audit that is subject to the requirements of Circular A-133 and is the approved Council\nof Inspectors General on Integrity and Efficiency checklist for performing quality control\nreviews. The review was conducted in accordance with the Quality Standards for Inspection and\nEvaluation. We performed the review from September 2011 through October 2012. The review\nfocused on the following qualitative aspects of the single audit:\n\n             \xe2\x80\xa2    Qualification of Auditors,\n\n             \xe2\x80\xa2    Independence,\n\n             \xe2\x80\xa2    Due Professional Care,\n\n             \xe2\x80\xa2    Planning and Supervision,\n\n             \xe2\x80\xa2    Audit Follow-Up,\n\n             \xe2\x80\xa2    Internal Control and Compliance testing,\n\n             \xe2\x80\xa2    Schedule of Expenditures of Federal Awards, and\n\n             \xe2\x80\xa2    Data Collection Form.\n\n\n\n\n                                               14\n\x0cPrior Quality Control Reviews\nSince October 1, 2007, we performed two quality control reviews of DCAA Circular A-133\nsingle audit and two of PricewaterhouseCoopers Circular A-133 audits. All audits contained\ndeficiencies resulting in findings and recommendations on audit planning/coordination,\nperformance, reporting, and documentation. Unrestricted IG DoD reports can be accessed at\nhttp://www.dodig.mil/audit/reports.\n\nDODIG Reports\n\nDODIG Report No. D-2011-6-004, \xe2\x80\x9cReport on Quality Control Review of the\nPricewaterhouseCoopers, LLP and the Defense Contract Audit Agency FY 2008 Single Audit of\nthe Charles Stark Draper Laboratory, Incorporated\xe2\x80\x9d February 28, 2011\n\nDODIG Report No. D-2011-6-002, \xe2\x80\x9cReport on Quality Control Review of the Deloitte & Touche\nand the Defense Contract Audit Agency FY 2008 Single Audit of the Aerospace Corporation, \xe2\x80\x9d\nOctober 29, 2010\n\nDODIG Report No. D-2008-6-003, \xe2\x80\x9cReport on Quality Control Review of FY 2006 Single Audit\nof Logistics Management Institute,\xe2\x80\x9d March 19, 2008\n\nDODIG Report No. D-2008-6-002, \xe2\x80\x9cQuality Control Review of FY 2006 Single Audit of\nSyracuse Research Corporation,\xe2\x80\x9d January 25, 2008\n\n\n\n\n                                              15\n\x0cAppendix B. Compliance Requirements\n\n      OMB Circular A-133 Compliance             Applicable   Not Applicable\n             Requirements\n\nActivities Allowed/Unallowed                        X\n\nAllowable Costs/Cost Principles                     X\n\nCash Management                                     X\n\nDavis-Bacon Act                                                    X\n\nEligibility                                                        X\n\nEquipment and Real Property Management              X\n\nMatching, Level of Effort, Earmarking               X\n\nPeriod of Availability of Federal Funds             X\n\nProcurement, Suspension, and Debarment              X\n\nProgram Income                                                     X\n\nReal Property Acquisition and Relocation                           X\nAssistance\nReporting                                           X\n\nSubrecipient Monitoring                             X\n\nSpecial Tests and Provisions                        X\n\n\n\n\n                                           16\n\x0cInstitute for Defense Analyses Comments\n\n\n\n\n                      17\n\x0cDefense Contract Audit Agency Comments\n\n\n\n\n                    18\n\x0c19\n\x0c20\n\x0c\x0c'